One SEC Commissioner, Hester Peirce, voted for the new rule, but expressed concerns it might generate notification fatigue, which could lead to people eventually ignoring all security notifications. “My greatest concern about the rule is that its breadth could undermine the value of the customer notifications by making them so commonplace that people ignore them. At some point, the notifications will stop having the intended effect. If covered institutions fear being second-guessed after making a reasonable judgment not to send a notice, they will err on the side of sending a notice, even if one might not be necessary?” Peirce asked in a statement. “How does your behavior change if you start getting a notice every few months? Or every month? Or every week? What if you get notifications from multiple entities related to the same breach?”
Peirce also said that the new rule may only aggravate today’s two-tier breach disclosure rules, with different states mandating different rules than various federal agencies. “The industry still will contend with an array of different and sometimes conflicting state and federal requirements. Further consolidation and harmonization of these requirements is a worthy goal on which federal and state regulators should continue to work,” Peirce said.
Brian Levine, an attorney who is the Ernst & Young managing director for cybersecurity, appreciates Peirce’s position but strongly disagrees with her conclusion. “They need to be reducing the underlying breaches and not worry about whether their customers are getting desensitized to them,” Levine told CSO. “Notification fatigue is a very real thing, but the solution is to have fewer breaches, not fewer notifications.”